Installing or Renewing a 2048 bit SSL Certificate on Citrix Access Essentials/Xenapp Fundamentals

I had to renew a 2048 bit Godaddy SSL certificate on a Citrix Access Essentials server today. This article on the Citrix knowledgebase explains how to install the certificate in Quick Start, but is a bit light on detail for the IIS part so I thought I would document it here.

Firstly you need to generate a certificate request or renewal request on the Citrix Access Essentials or Xenapp Fundamentals external website in IIS manager. Right click the website and choose ‘properties’, then click on the  ‘Directory Security’ tab. In the ‘Secure Communications’ section click on the ‘Server Certificate’ button, and the server certificate wizard will start. Click Next, and the following screen will appear:

Creating the renewal or certificate request

In this case I was renewing the existing 2048 bit certificate, so selected ‘renew the current certificate’ and clicked next. On the next screen choose ‘prepare the request now but send it later:

Preparing the request

Finish the wizard, and save the request for processing with your SSL provider. In this case the provider is Godaddy, but the process will be similar for other providers. Log into Godaddy, select the certificate you want to renew (assuming you have already purchased the renewal credit), and choose ‘Request Certificate’ .

Requesting a new certificate using Godaddy


On the next screen select ‘Third Party or Dedicated Server, and then paste the contents of the certificate request that you generated in IIS into the CSR field as shown:

Processing the CSR with Godaddy

Submit the request and then wait for Godaddy to process it, completing any necessary domain control, or other validation processes that may be required. Once the certificate processing is complete, download your new certificate from Godaddy. If this is the first time you have installed a Godaddy certificate on the server you will also need to install intermediate certificates that come in the zip file on your server. Further documentation on this can be found on the Godaddy website here.

Next install the new certificate using IIS manager. Again, right click the Citrix external website and choose ‘Properties’, then click on the ‘Directory Security’ tab. In the ‘Secure Communications’ section click on the ‘Server Certificate’.  In the wizard choose ‘process the pending request and install the certificate’.

Processing the pending certificate request in IIS

Browse to the new certificate .crt file you downloaded from Godaddy and click next. You may need to select ‘All files’ to view this file.  

Now the next screen can cause a bit of a gotcha. By default the wizard wants to choose standard SSL port 443 to install this certificate on. If you select this port it will conflict with Citrix and cause an error message when accessing the website after installing the certificate. Make sure you select a different port in the wizard, such as 444 to prevent a conflict with Citrix Access Essenstials, then click ‘Next’.

Select an SSL port other than 443, such as 444 in the wizard to prevent a conflict with Citrix

Failure to change the port will result in the error ‘Bad Gateway! The proxy server received an invalid response from the upstream server. Error 502’, which can be seen below:

Error message when installing new SSL certificate on Citrix Access Essentials/Xenapp Fundamentals Bad Gateway error 502

Review the final screen, and complete the wizard. Finally, run up the Citrix quick start tool and choose ‘Manage External Access’, under the ‘External Access’ section. From here you can choose the new certificate to use with Citrix Access Essentials. These steps are documented in the Citrix document. After that you’re done!


15 Responses to Installing or Renewing a 2048 bit SSL Certificate on Citrix Access Essentials/Xenapp Fundamentals

  1. John says:

    I am not locating ‘Properties’ for the website using the IIS 7 Manager

  2. saverio says:

    I have successfully installed the new certificate to 2048 bits, opens the portal and it works well access, applications are displayed to the user, but when he opens the application exits “”cannot connect to the citrix metaframe server protocol drive error”. With the old certificate was all ok. Do you know help me understand the problem?

  3. saverio says:

    we have a secure gateway connected to the firewall with DMZ

  4. saverio says:

    We have installed two certificates and a rapid Geo but always the same error protocol error.
    now I can not do the test because the old certificate is installed for users to work with the new certificate seems to work but in the HTTP error log on CSG tells me “unable to load ssl certificate for server FQDN: 443 hint: SSLCertificateHash “. In addition, the secure gateway diagnostic says in Check Certificate
    FQDN = ok
    Unable to find server certificate.

    I installed the new certificate only in the CSG server where there is a secure gateway and web presentation, do not know if something is to be installed also in the other citrix server where there are applications and the Citrix because here I have done nothing but some say they help configure SSL Relay on the citrix server that is currently empty and has no parameter. Can you help me understand more please?

  5. saverio says:

    SSL247, we installed the intermediate with RapidSSL, now with the Geo, we imported the certificate but not the middle, it seems to me, however, the error is always the same

  6. saverio says:

    thanks but I had already seen these sites and just have not found the solution yet, keep looking

  7. saverio says:

    this seems to be my problem but I have not secure gateway and access gateway

  8. saverio says:

    HTTP does not work either: cannot connect to the Citrix MetaFrame server, SSL Error 21: The proxy denied access, 40, STA …… Ports 1494

  9. saverio says:

    HTTP does not work either: can not connect to the Citrix MetaFrame server, SSL Error 21: The proxy denied access, 40, STA …… Ports 1494

  10. saverio says:

    The problem is that when we put the new 2048-bit certificate, restart the server and will not start the gateway server and then “access suite console-> web interface-> Edit DMZ” only works if I put Direct, if I leave Secure Gateway Direct loads the portal page can enter the credentials and see the applications but when loading any application out the error above
    What is the problem if I leave set to “Direct” in edit DMZ?

  11. Pingback: Godaddy Access Ssh

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: